HIPAA settlement highlights the importance of caution in responding to negative online reviews
On December 14, 2022, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) ended the year with another settlement, it’s 22nd of the year, highlighting how easily social media can get covered entities and their business associates into trouble under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This settlement concluded that a dental practice impermissibly disclosed protected health information (PHI) through social media when it responded to negative online reviews.
Specifically, OCR found that the practice impermissibly disclosed patient names, treatment, and insurance information. In many instances, users provided only their online “moniker” when leaving reviews about the practice on Yelp. However, the practice’s responses to the reviews would then add details that may not have been disclosed in the reviews themselves, including the aforementioned PHI.
This settlement resulted from a lengthy OCR investigation. OCR initiated its investigation all the way back in 2017 after receiving a complaint that the practice “habitually” disclosed patients’ PHI. OCR’s investigation indicated that the practice impermissibly disclosed PHI, failed to provide a compliant Notice of Privacy Practices, and failed to implement HIPAA privacy policies and procedures, including with respect to the release of PHI on social media/public platforms.
In addition to a monetary resolution, the settlement requires the practice to enter into a two-year Corrective Action Plan, which, among other actions, requires the practice to assess, update and revise, as necessary, its privacy policies, including policies addressing its use of electronic PHI (eg, email, internet and social media sites), its Notice of Privacy Practices, and its breach notification reporting and response. The practice must also take various mitigation steps, including training its workforce members, removing social media posts dating as far as back as January 1, 2014, and issuing breach notifications to affected individuals or their representatives.
This settlement serves as a good reminder that – unlike patients who may freely share their own private information in online reviews – covered entities and their business associates are subject to significant limitations under HIPAA when responding to those reviews, whether good or bad. Covered entities and their business associates should carefully review and update, as needed, their social media policies and procedures, notices of privacy practices, and HIPAA authorization forms consistent with this settlement and assess whether they should conduct any additional workforce training. Covered entities should also assess their breach notification policies and procedures to ensure that those policies and procedures sufficiently facilitate the internal reporting of suspected breaches to allow for an appropriate investigation of, and response to, any breaches in a timely manner.
If you have any questions about HIPAA compliance or your obligations, please contact your DLA Piper relationship partner, the authors of this alert, or any member of our healthcare industry or privacy groups.